<?php
header('Content-Type: application/json; charset=utf-8');
header('Access-Control-Allow-Origin: *');
$token=$_GET['token']??'';
if(!in_array($token,['WEVADS2026','ETHICA_API_2026_SECURE']))die(json_encode(['error'=>'auth']));
$action=$_GET['action']??'';
function s95db(){static $p;if(!$p)$p=new PDO("pgsql:host=10.1.0.3;port=5432;dbname=adx_system","admin","admin123");$p->setAttribute(PDO::ATTR_ERRMODE,PDO::ERRMODE_EXCEPTION);return $p;}
function qa($db,$q){return $db->query($q)->fetchAll(PDO::FETCH_ASSOC);}
function q1($db,$q){return $db->query($q)->fetch(PDO::FETCH_ASSOC);}
function ok($d){echo json_encode(array_merge(['ok'=>1],$d));exit;}

switch($action){
case 'servers':
    $s204_disk=trim(shell_exec("df -h / | tail -1 | awk '{print $5}'"))?:'?';
    $s204_mem=trim(shell_exec("free -m | awk '/Mem/{printf \"%d/%dMB\",\$3,\$2}'"))?:'?';
    $s204_load=trim(shell_exec("uptime | sed 's/.*load average: //'"))?:'?';
    $s204_docker=(int)trim(shell_exec("docker ps -q 2>/dev/null | wc -l"));
    $s204_services=(int)trim(shell_exec("systemctl list-units --type=service --state=running --no-legend | wc -l"));
    $s204_up=trim(shell_exec("uptime -p"))?:'?';
    // S95 via DB connection test
    $s95_ok=false;try{s95db();$s95_ok=true;}catch(\Exception $e){}
    ok(['servers'=>[
        ['name'=>'S204 (PRIMARY)','ip'=>'204.168.152.13','disk'=>$s204_disk,'memory'=>$s204_mem,'load'=>$s204_load,'docker'=>$s204_docker,'services'=>$s204_services,'uptime'=>$s204_up,'status'=>'UP'],
        ['name'=>'S95 (WEVADS)','ip'=>'95.216.167.89','db_ok'=>$s95_ok,'status'=>$s95_ok?'UP':'DOWN'],
        ['name'=>'S151 (TRACKING)','ip'=>'151.80.235.110','status'=>'UP']
    ]]);
    break;

case 'crons':
    $db=s95db();
    // Count active crons
    $monitoring=[]; $send_disabled=[]; $scraping=[]; $other=[];
    $lines=explode("\n",trim(shell_exec("curl -s 'http://10.1.0.3:5890/api/sentinel-brain.php?action=exec&cmd=".urlencode("sudo crontab -u www-data -l 2>/dev/null")."' 2>/dev/null | php -r 'echo json_decode(file_get_contents(\"php://stdin\"))->output;'")?:''));
    foreach($lines as $l){
        $l=trim($l);if(!$l||$l[0]==='#')continue;
        if(strpos($l,'DISABLED')!==false||strpos($l,'STANDBY')!==false){$send_disabled[]=$l;continue;}
        if(strpos($l,'brain')!==false||strpos($l,'bounce')!==false||strpos($l,'seed')!==false||strpos($l,'harvest')!==false)$monitoring[]=$l;
        elseif(strpos($l,'scraper')!==false||strpos($l,'ethica')!==false||strpos($l,'enrich')!==false)$scraping[]=$l;
        else $other[]=$l;
    }
    ok(['monitoring'=>count($monitoring),'scraping'=>count($scraping),'send_disabled'=>count($send_disabled),'other'=>count($other),'total_active'=>count($monitoring)+count($scraping)+count($other),'total_disabled'=>count($send_disabled)]);
    break;

case 'tracking':
    $db=s95db();
    $events=[]; try{$events=qa($db,"SELECT event_type, COUNT(*) as cnt FROM tracking_events GROUP BY event_type ORDER BY cnt DESC");}catch(\Exception $e){}
    $recent=[]; try{$recent=qa($db,"SELECT event_type, tracking_id, ip_address, created_at FROM tracking_events ORDER BY created_at DESC LIMIT 15");}catch(\Exception $e){}
    $total=0;foreach($events as $e)$total+=(int)$e['cnt'];
    // Tracking endpoints health
    $endpoints=[
        ['name'=>'track.php open','url'=>'https://culturellemejean.charity/api/track.php?e=open&t=HEALTH'],
        ['name'=>'track.php click','url'=>'https://culturellemejean.charity/api/track.php?e=click&t=HEALTH&u='.base64_encode('https://test.com')],
        ['name'=>'consent','url'=>'https://consent.wevup.app/'],
    ];
    $health=[];
    foreach($endpoints as $ep){
        $ch=curl_init($ep['url']);curl_setopt_array($ch,[CURLOPT_RETURNTRANSFER=>1,CURLOPT_TIMEOUT=>5,CURLOPT_SSL_VERIFYPEER=>0,CURLOPT_FOLLOWLOCATION=>0]);
        $r=curl_exec($ch);$code=curl_getinfo($ch,CURLINFO_HTTP_CODE);curl_close($ch);
        $health[]=['name'=>$ep['name'],'status'=>($code>=200&&$code<400)?'UP':'DOWN','code'=>$code];
    }
    ok(['total_events'=>$total,'by_type'=>$events,'recent'=>$recent,'endpoints'=>$health]);
    break;

case 'smtptest':
    $domain=$_GET['domain']??'weval-consulting.com';
    // SPF+DKIM+DMARC+MX check
    $spf=false;$dkim=false;$dmarc=false;$mx=[];
    foreach(dns_get_record($domain,DNS_TXT)?:[] as $r)if(strpos($r['txt']??'','v=spf1')!==false)$spf=true;
    $dkim=!empty(dns_get_record("default._domainkey.$domain",DNS_TXT));
    foreach(dns_get_record("_dmarc.$domain",DNS_TXT)?:[] as $r)if(strpos($r['txt']??'','v=DMARC1')!==false)$dmarc=true;
    foreach(dns_get_record($domain,DNS_MX)?:[] as $r)$mx[]=$r['target']??'';
    // Blacklist check
    $ip='95.216.167.89';$rev=implode('.',array_reverse(explode('.',$ip)));
    $bls=['zen.spamhaus.org','b.barracudacentral.org','bl.spamcop.net','cbl.abuseat.org','psbl.surriel.com','dnsbl-1.uceprotect.net','dnsbl.sorbs.net','dnsbl.dronebl.org'];
    $clean=0;$listed=0;$bl_details=[];
    foreach($bls as $bl){
        $rr=@dns_get_record("$rev.$bl",DNS_A);$is_listed=false;
        if($rr)foreach($rr as $r)if(isset($r['ip'])&&strpos($r['ip'],'127.')===0&&$r['ip']!=='127.255.255.254'){$is_listed=true;break;}
        if($is_listed)$listed++;else $clean++;
        $bl_details[]=['bl'=>$bl,'listed'=>$is_listed];
    }
    ok(['domain'=>$domain,'ip'=>$ip,'spf'=>$spf,'dkim'=>$dkim,'dmarc'=>$dmarc,'mx'=>$mx,
        'auth_score'=>($spf?25:0)+($dkim?25:0)+($dmarc?25:0)+(!empty($mx)?25:0),
        'reputation'=>['clean'=>$clean,'listed'=>$listed,'total'=>count($bls),'details'=>$bl_details],
        'deliverability_score'=>round((($clean/max(count($bls),1))*50)+(($spf?25:0)+($dkim?25:0)+($dmarc?25:0)+(!empty($mx)?25:0))/2,0)]);
    break;

case 'security':
    $s204_disk=trim(shell_exec("df -h / | tail -1 | awk '{print $5}'"))?:'?';
    $fail2ban=(int)trim(shell_exec("fail2ban-client status 2>/dev/null | grep -oP '\\d+' | head -1"))?:0;
    $crowdsec=(int)trim(shell_exec("cscli alerts list -l 5 -o json 2>/dev/null | php -r 'echo count(json_decode(file_get_contents(\"php://stdin\"),1));'")?:0);
    $chattr=(int)trim(shell_exec("lsattr /var/www/html/wevads-ia/index.html 2>/dev/null | grep -c 'i'")?:0);
    $ssl_exp=trim(shell_exec("echo | openssl s_client -connect weval-consulting.com:443 -servername weval-consulting.com 2>/dev/null | openssl x509 -noout -enddate 2>/dev/null | cut -d= -f2"))?:'?';
    $guards=[]; 
    foreach(['regression-auto-repair'=>'S95','critical-files-guard'=>'S95','sentinel-autorepair'=>'S95','infra-guardian'=>'S204'] as $g=>$s)$guards[]=['name'=>$g,'server'=>$s,'mode'=>'ALERT-ONLY'];
    ok(['disk'=>$s204_disk,'fail2ban_jails'=>$fail2ban,'crowdsec_alerts'=>$crowdsec,
        'chattr_protected'=>$chattr>0,'ssl_expiry'=>$ssl_exp,
        'guards'=>$guards,'encryption'=>['cols'=>82,'method'=>'pgcrypto AES-256'],
        'pg_hardened'=>true,'mta_status'=>'UP (manual only)']);
    break;

default:ok(['actions'=>['servers','crons','tracking','smtptest','security']]);
}